Re: [cas-user] WebAuthn + MongoDB issue (6.3.X)

Mon, 10 May 2021 03:39:51 -0700 

Hi,
This seems to be fixed in 6.3.4 (Yubico's webauthn implementation is bumped to 1.9.0) 

Best regards,

Linos

On 4/29/21 12:36 PM, Linos Giannopoulos wrote:


Hey!


We are in the process of evaluating WebAuthn as our main MFA provider 
and although it's been smooth when Yubikeys are used,
we ran into an issue when we attempted to use MongoDB as the backend 
storage.


Although the registration works as expected, authentication seems broken:

```


2021-04-29 12:31:11,363 ERROR [com.yubico.core.WebAuthnServer] - 
<Failed to update signature count for user "lgian", credential 
"ByteArray(cd3b1add6896273ff0bd0271f184842ac8c48ca6c9c6234e3157e557e328a51d64e1eca4e96bb2a63cd1d8be17b26c26a980821b366115498a86afd7b4186ea7)">

java.lang.reflect.UndeclaredThrowableException: null
    at com.sun.proxy.$Proxy202.updateSignatureCount(Unknown Source) ~[?:?]

    at 
com.yubico.core.WebAuthnServer.finishAuthentication(WebAuthnServer.java:550) 
~[cas-server-webauthn-helper-1.7.1.jar:?]
    at 
org.apereo.cas.webauthn.web.WebAuthnController.finishAuthentication(WebAuthnController.java:113) 
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]

    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

    at 
org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190) 
~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138) 
~[spring-web-5.2.12.RELEASE.jar:5.2.12.RELEASE]

[...]

Caused by: com.fasterxml.jackson.databind.JsonMappingException: (was 
java.lang.NullPointerException) (through reference chain: 
java.util.HashSet[0]->com.yubico.data.CredentialRegistration["registrationTime"])
    at 
com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:390) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:349) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.StdSerializer.wrapAndThrow(StdSerializer.java:316) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:778) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:178) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:480) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:319) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ObjectMapper._writeValueAndClose(ObjectMapper.java:4485) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ObjectMapper.writeValueAsString(ObjectMapper.java:3740) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
org.apereo.cas.webauthn.MongoDbWebAuthnCredentialRepository.update(MongoDbWebAuthnCredentialRepository.java:81) 
~[cas-server-support-webauthn-mongo-6.3.3.jar:6.3.3]
    at 
org.apereo.cas.webauthn.storage.BaseWebAuthnCredentialRepository.updateSignatureCount(BaseWebAuthnCredentialRepository.java:89) 
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]

    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

    at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) 
~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) 
~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]
    at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) 
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) 
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]

    ... 120 more
Caused by: java.lang.NullPointerException

    at 
com.yubico.data.CredentialRegistration.getRegistrationTimestamp(CredentialRegistration.java:58) 
~[cas-server-webauthn-helper-1.7.1.jar:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]

    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

    at 
com.fasterxml.jackson.databind.ser.BeanPropertyWriter.serializeAsField(BeanPropertyWriter.java:689) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.BeanSerializerBase.serializeFields(BeanSerializerBase.java:770) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.BeanSerializer.serialize(BeanSerializer.java:178) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serializeContents(CollectionSerializer.java:145) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:107) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.std.CollectionSerializer.serialize(CollectionSerializer.java:25) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:480) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ser.DefaultSerializerProvider.serializeValue(DefaultSerializerProvider.java:319) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ObjectMapper._writeValueAndClose(ObjectMapper.java:4485) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
com.fasterxml.jackson.databind.ObjectMapper.writeValueAsString(ObjectMapper.java:3740) 
~[jackson-databind-2.12.0.jar:2.12.0]
    at 
org.apereo.cas.webauthn.MongoDbWebAuthnCredentialRepository.update(MongoDbWebAuthnCredentialRepository.java:81) 
~[cas-server-support-webauthn-mongo-6.3.3.jar:6.3.3]
    at 
org.apereo.cas.webauthn.storage.BaseWebAuthnCredentialRepository.updateSignatureCount(BaseWebAuthnCredentialRepository.java:89) 
~[cas-server-support-webauthn-core-6.3.3.jar:6.3.3]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) ~[?:?]
    at 
jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
~[?:?]
    at 
jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
~[?:?]

    at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]

    at 
org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282) 
~[spring-core-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.cloud.context.scope.GenericScope$LockedScopedProxyFactoryBean.invoke(GenericScope.java:499) 
~[spring-cloud-context-2.2.6.RELEASE.jar:2.2.6.RELEASE]
    at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) 
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]
    at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212) 
~[spring-aop-5.2.12.RELEASE.jar:5.2.12.RELEASE]

    ... 120 more

```

Also, the issue does not exist when the in-memory storage is used.


We are on version 6.3.3, but I should mention that we've worked around 
an issue that the 6.3.3 has currently.
The issue seems to be fixed on the 6.3.X branch, but the WAR overlay 
version is broken:


```

Could not find org.apereo.cas:cas-server-webauthn-helper:1.7.0.

```


After looking into it, `cas-server-webauthn-helper` exists under the 
`org.apereo` organization (and also, the 1.7.0 does not exist anymore).
Again, this commit[0] seems to be fixing the issue. But to work around 
it for our version, we did the following:


```

+    compile "org.apereo:cas-server-webauthn-helper:1.7.1"

+    compile 
("org.apereo.cas:cas-server-support-webauthn:${project.'cas.version'}"){
+        exclude group: 'org.apereo.cas', module: 
'cas-server-webauthn-helper'

+    }

+    compile 
("org.apereo.cas:cas-server-support-webauthn-mongo:${project.'cas.version'}"){
+        exclude group: 'org.apereo.cas', module: 
'cas-server-webauthn-helper'

+    }

```



[0]: 
https://github.com/apereo/cas/commit/ca75765649a7383a301370f94b5ff1a6146faf8a


--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>

- Gitter Chatroom: https://gitter.im/apereo/cas 
<https://gitter.im/apereo/cas>

- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---

You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to [email protected] 
<mailto:[email protected]>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d7cb9f5-7cfe-5e8d-d68b-4855099c3b91%40skroutz.gr 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/9d7cb9f5-7cfe-5e8d-d68b-4855099c3b91%40skroutz.gr?utm_medium=email&utm_source=footer>.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/414b1389-bf9a-af35-a83a-0f15b0284a9c%40skroutz.gr.






















					Reply via email to